EU AI Act Article 4: The AI Literacy Rule Is Already Live
The Obligation Nobody Told You Started
Here is the line we hear most from founders: "The EU AI Act? That's not due yet, we'll deal with it next year."
That belief is costing companies right now. One slice of the Act is already live. It has been since 2 February 2025. It is short, it is easy to miss, and it applies to almost everyone who uses AI at work. It is Article 4, the AI literacy obligation.
If your team uses ChatGPT, Copilot, an AI note-taker, an AI hiring filter, or any tool with "AI" in the pitch, this one is on you. Today. Not in 2027. Want the fast answer for your specific setup? Run the free risk check and we will tell you exactly what applies.
Check your risk level free (90 seconds)What Article 4 Actually Says
Article 4 of the EU AI Act (Regulation (EU) 2024/1689) puts a plain duty on both providers and deployers of AI systems. You must take measures to ensure a sufficient level of AI literacy among your staff, and among anyone else operating or using AI systems on your behalf.
"Sufficient" is the key word. The law does not hand you a fixed syllabus. It asks you to weigh a few things: the technical knowledge, experience, and education of the people involved, plus the context the AI is being used in and who it affects. A developer wiring an AI model into a product needs deeper understanding than a marketer drafting copy with an assistant. The bar moves with the role. That is the point.
So this is not a box you tick once. It is a duty to make sure the humans touching your AI actually understand what they are working with, at a level that fits what they do.
"Deployer" Probably Means You
A lot of SMEs read "providers and deployers" and assume neither word is about them. They are not building AI, so surely the Act passes them by.
It does not. Most small companies are deployers. A deployer is anyone using an AI system under their own authority in the course of business. Run an AI tool in your workflow and you are a deployer, even if a giant tech company built the model. The recruiter screening CVs with an AI filter, the support lead behind an AI chatbot, the ops manager letting an AI tool summarise meetings: all deployers. All inside Article 4.
You did not write the code. Does not matter. You put the system to work, so the literacy duty is yours.
What AI Literacy Looks Like In Practice
This is where people relax once they see it. Article 4 is not asking you to send everyone back to university. It wants reasonable, role-appropriate measures, and the ability to show you took them.
| Your situation | What "sufficient AI literacy" tends to look like |
|---|---|
| Small team using off-the-shelf AI tools | A short internal briefing on what the tools do, their limits, and what not to feed them. Written guidance staff can refer back to. |
| Staff making decisions with AI output (hiring, lending, support) | Training on bias, hallucination, and when a human must check the result before acting. |
| Technical staff integrating AI into a product | Deeper understanding of the model's capabilities, risks, and the relevant obligations under the Act. |
| Leadership and ops | Awareness of which AI systems are in use, who owns them, and what the Act requires of each. |
Notice what is missing from that table. There is no official "AI literacy certificate" issued by a regulator. Article 4 is not a certification scheme. No authority hands you a badge. It is an obligation to take sensible measures, document them, and be ready to demonstrate them if asked. Training records, an internal policy, a short onboarding module: that is the kind of evidence that shows you acted.
Run the free risk check and we will map which of these rows fits each AI system you run.
Check your risk level free (90 seconds)Why The Date Matters: Article 4 vs Article 50
This is the part worth pinning to your wall, because the dates are where the confusion lives.
The Act does not switch on all at once. Different duties land on different dates. Two are easy to mix up:
- Article 4 (AI literacy) has applied since 2 February 2025. Live now.
- Article 50 (transparency duties), like telling people they are talking to an AI or labelling AI-generated content, applies from 2 August 2026. Later.
So the obligation founders most often assume is "the AI Act starting" (the transparency labels) is actually the one that has not kicked in yet. The quieter one, literacy, is the one already running. People get this backwards constantly, and it is exactly why so many teams are out of step without knowing it.
"But Didn't They Delay The Whole Thing?"
Fair question, because there has been real noise about a delay.
Around 7 May 2026, EU policymakers provisionally agreed a "Digital Omnibus" package that could push back some of the high-risk system obligations, the Annex III ones, potentially as far as December 2027. We are watching it closely.
Two things to be clear about. First, that delay is proposed, not enacted. It is not law yet, and the detail can still shift. Second, and this is the part that matters here, the proposed delay targets high-risk obligations. It does not touch Article 4. The AI literacy duty stays exactly where it is: in force since February 2025.
If anything, the delay reinforces the point. Companies hear "delay" and assume the whole Act slid into the future. It did not. The piece that applies to nearly every AI user is already in effect, and no proposal on the table changes that.
What Happens If You Ignore It
Enforcement is its own timeline. Member states stand up their penalty regimes and start applying fines from 2 August 2026. So the machinery to penalise breaches generally begins then, not today. But the obligation to be literate exists now, and the clock on "did you take measures from February 2025" is already running.
When penalties do bite, the numbers are not small. Most obligation breaches under the Act can draw fines up to €15 million or 3% of global annual turnover. For SMEs there is a mercy in the drafting: you pay the lower of the two figures, not the higher. Small comfort, but real.
The bigger near-term risk for most SMEs is not a regulator knocking. It is a customer, an investor, or a partner asking "how do you comply with the EU AI Act?" during due diligence, and having nothing to show. AI literacy is one of the cheapest, fastest things to get right. There is no reason to be caught flat.
Your Next Steps
You can close most of this gap in an afternoon. Here is the order we would do it in:
- List your AI tools. Every system in use, internal and customer-facing. You cannot make people literate about tools you have not mapped.
- Match literacy to role. Use the table above. Short briefing for light users, deeper training for anyone making decisions on AI output or building with it.
- Write it down. A one-page internal AI policy plus a short staff briefing is enough to start. Keep the records, that is your evidence.
- Find your risk tier. Literacy is one duty. Know which others apply by running the free risk check, which returns your role and tier in about 90 seconds.
- Build the paper trail. When you are ready to turn this into proper documentation, the AI Comply HQ assessment walks you through it system by system and drafts the records for you.
Article 4 is the rare compliance task that is genuinely quick to satisfy. The expensive mistake is assuming the whole Act is still over the horizon when one piece of it has been live for over a year. Find out where you stand, do the short version of the work, and move on with proof in hand.
Check your risk level free (90 seconds)For more, see whether small companies have to comply at all, the difference between a provider and a deployer, the full enforcement dates and deadlines, and what your AI chatbot owes once transparency rules land.